Host-based Information Leakage Detection and Prevention Systems (HILDP) are closely related to Host-based Intrusion Prevention Systems (HIPS) and therefore both types of systems shall be considered as prior art. HIPS focus on detecting and preventing attempts by outsiders to gain unauthorized access to resources on the host or execution of malicious code. By contrast, HILDP systems focus on detecting and preventing the transmission of sensitive information from the host to unauthorized destinations outside the enterprise.
In spite of the difference in focus and terminology, these systems are similar in structure and use essentially the same technical means to achieve their goals: detection and/or prevention of host-based activities which may constitute a violation of the organization's security policy. In this context, HIPS and HILDP shall be considered as two specific cases of a common class. The qualifier “Host-based” indicates that activity is monitored within each network-connected computer (host), in contrast to Network-based IPS and ILDP systems which analyze the network traffic on a shared computer network.
Application software running on the host can directly access only the application's memory space. Access to any other resources such as file storage, network resources or attached physical devices is mediated by the operating system kernel or other system services. The application communicates with the operating system or system services via various Application Programming Interfaces (API), System calls, Inter Process Communication (IPC) or similar software interfaces. HIPS/HILDP systems use various means to intercept requests from the application software to the operating system kernel or system services. The software components performing this function are variously referred to as Sensors, Probes, Data-gathering components or other terminology and are tailored to the type of interface and type of requests they are designed to intercept.
Sensors gather information about application requests and encapsulate the request parameters and context into a data structure which will be referred to as an Event or Event Description. If the request is a data transmission request, the event may also include the actual content or summary of the transmitted information. Events are communicated from the Sensors to a software component known as an Agent.
An HILDP/HIPS agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system. The agent then applies a Policy to the Events. A Policy is a collection of Rules. Each Rule consists of a Condition, sometimes referred to as a Template or Pattern, and a Reaction to be performed by the Agent when an Event matching the Condition is detected. It is worth noting that in order to distinguish events and potentially respond to them with different reactions, the agent must have the pertinent information available as part of the event description at the time of the event.
In the case of HIPS, such as anti-virus applications, the policy is established to control unauthorized access to the host. Typically, sensors will report external access attempts to the host as well as unusual local activity, which may be an indication that an intruder has already gained some access and is attempting to extend or use it. The agent will apply a set of reactions such as ignore (allow the operation to proceed), Block (cause the operation to fail) or Log (allow the operation to proceed but log its details).
An ILDP system may establish a policy to control the leakage of information from the organization by insiders. For example, the policy may specify which applications are allowed to access certain files, devices or network services in order to prevent an application from reading a file and then forward a copy of it over the network or to an external device. Again the possible Reactions may include Ignore (allow), Block or Log the attempted operation.
Occasionally, the information immediately available to the agent and encapsulated within an event upon a request may not be sufficient to make a proper decision. For example, when an attempt is made to send a file to an external email destination, the fact that the file has been copied several weeks earlier from a designated internal folder may be relevant to the decision, even though this information is not immediately available.
One approach to addressing this problem is to compare the content of the transmitted file against a global database of all sensitive documents in the organization. Such an approach is implemented by existing network based ILDP systems. However, this approach suffers from several problems. It requires a centralized database which is difficult to scale and is bound to produce many false positives. Furthermore, this database will not be available to hosts working offline, or outside the organization's network. Finally, this approach assumes that the content of the transmission is always accessible. Also, if the information asset is stored in an encrypted format this type of system will not be able to compare it against the global database.
Thus, it would be advantageous to provide a method that addresses the problems of comparing the content of the transmitted file against a global database of all sensitive documents and the problem of information assets stored in encrypted format.
Prior art includes Stamos et al, in US patent application 20050060537, which discloses a technique for establishing digital control over digital assets such as computer files. There is no content analysis. The system is gateway-based for e-mails. The system offers a way of tagging digital assets, but does not maintain the tagging through the life cycle of the information.
Carson et al. in US patent application 20040167921, teaches a technique for efficient representation of dependencies between electronically stored documents, such as an enterprise data processing system. The file history of the meta-data type of information is made available, but not by paragraphs. The application aims at controlling port and IP traffic.